IETF Logo Mail Archive

Re: [Idr] WGLC on draft-ietf-idr-as-private-reservation-00

Jon Mitchell <jrmitche@puck.nether.net> Mon, 10 December 2012 22:59 UTC

Return-Path: <jrmitche@puck.nether.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8662421F8507 for <idr@ietfa.amsl.com>; Mon, 10 Dec 2012 14:59:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXYS3VoYi-Fb for <idr@ietfa.amsl.com>; Mon, 10 Dec 2012 14:59:05 -0800 (PST)
Received: from puck.nether.net (puck.nether.net [IPv6:2001:418:3f4::5]) by ietfa.amsl.com (Postfix) with ESMTP id 8BA0D21F862E for <idr@ietf.org>; Mon, 10 Dec 2012 14:59:05 -0800 (PST)
Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by puck.nether.net (8.14.4/8.14.4) with ESMTP id qBAMwxkf006242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 10 Dec 2012 17:58:59 -0500
Received: (from jrmitche@localhost) by puck.nether.net (8.14.4/8.14.4/Submit) id qBAMwwTk006241; Mon, 10 Dec 2012 17:58:58 -0500
Date: Mon, 10 Dec 2012 17:58:58 -0500
From: Jon Mitchell <jrmitche@puck.nether.net>
To: "Pradosh Mohapatra (pmohapat)" <pmohapat@cisco.com>
Message-ID: <20121210225858.GC24937@puck.nether.net>
References: <CA+b+ERnuWZ+r2O-eFhe3hU00uoU4UKnRcbhLNVXU7p5+DjoWbQ@mail.gmail.com> <C6C16AE3B7961044B04A1BCEC6E2F93603D12A0C@xmb-rcd-x14.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <C6C16AE3B7961044B04A1BCEC6E2F93603D12A0C@xmb-rcd-x14.cisco.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6 (puck.nether.net [204.42.254.5]); Mon, 10 Dec 2012 17:58:59 -0500 (EST)
Cc: "idr@ietf.org" <idr@ietf.org>, Jay Borkenhagen <jayb@braeburn.org>, Tony Tauber <ttauber@1-4-5.net>, Robert Raszuk <robert@raszuk.net>
Subject: Re: [Idr] WGLC on draft-ietf-idr-as-private-reservation-00
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 22:59:06 -0000

Pradosh / Randy / et al - although Robert has pointed out already that
in the end someone who knows that these routes need to go to the
Internet needs to peer with said Enterprise in your example, and this
ISP is ultimately responsible for allowing the routes to reach the
Internet (and can consider the operational considerations that is
already fairly clear in my opinion), I think this is a moot point.
However, thinking about your inter-as use case if combined with Internet
access gateway type functionality or other random topologies, I can
certainly create some that allow an ISP that allows BYOA (bring your own
asn?) to accept routes from an ASN that is private (old range) and
provide transit to a new range ASN behind that old range.  I actually
think this problem is not a large operational concern as it already is
an artificat of mis-configurations and mis-understandings of said vendor
implementations in the existing range.  Those using private ASNs and
leaking them to the Internet do not get a lot of tear drops when their
prefixes are dropped based on ingress filters or as-path loop detection
by other networks.

I think a large part of the debate on this draft has been due to the
implication that these would be used by organizations that allocate ASNs
to others outside their organization, such as ISPs, versus internal use
within very large organizations.  After WGLC, if the draft proceeds, I
may propose small changes to the operational considerations section as
there does seem to be sufficient angst, especially from the ISP
community on behavior changes (to use private ASNs in more networks or
applications that otherwise wouldn't have I guess) that may be induced
by operators based on there being an expanded range.  Are there others
who think that the following modification(s) would be useful (whether or
not you support the draft)?

(from the last sentence of 1st paragraph and total of second paragraph
is the new proposed text, ignore sp or grammer errors)

---
If private use ASNs are used and prefixes are originated from these
private use ASNs which are destined to the Internet, private use ASNs
must be removed from the AS_PATH before being advertised to the global
Internet.  Prior to making use of the second, numerically higher, range
of these ASNs network operators should be confident any implementation
specific features or filters that recognize private use ASNs have been
updated to recognize both ranges correctly so that no unintended
announcement of private use ASNs to the Internet occurs.  Specifically,
any implementation specific features should treat both ranges similarly
and there is no need to differentiate between the existing and new
ranges.

Networks that provide Internet connectvity for prefixes originated in
other ASNs should be cautious about allocating the new range or ever
guarenteeing transport of prefixes originating from private ASNs
especially if alternative approaches can suffice for their needs, for
instance as described in RFC2270.  Certain topologies, whether using the
existing or new range, can cause vendor specific implementations of
features that recognize the private ASN range to not remove all
instances of the Private ASNs from the AS_PATH, resulting in a prefix
that may not be reachable from all of the Internet due to containing a
Private ASN.  Private ASNs also introduce additional complexity
especially during network mergers and consolidations and careful
consideration should be given to their use versus a globally unique ASN
from a Regional Internet Registries (RIR).
---

Let me know your thoughts on this...

Thanks,

Jon


On Wed, Dec 05, 2012 at 09:45:14PM +0000, Pradosh Mohapatra (pmohapat) wrote:
> >I think both Tony and Jay forgot that routing and reachability is not
> >about originator AS .. it is about prefixes they advertise.
> >
> >If peering ISP AS chooses to peer with private as or remove private as
> >from AS-PATH or for completeness substitute with their own it is all
> >ok. He takes responsibility to route data to such customer(s).
> >
> >Any subsequent removal of private as in the path also results in the
> >same responsibility of the provider who permits private AS for
> >peering.
> >
> >I am not sure why there is concern with it on the list.
> 
> 
> Not sure you understood the issue Jay was pointing to - but it is a
> problem worth talking about if we are serious about advancing this draft.
> 
> Say an enterprise starts using ASN 4278190081. It already has a bunch of
> ASNs from the 16-bit private AS range and relies on the correct behavior
> of "remove-private-as" from the ISP. The ISP routers are not upgraded to
> understand 4278190081 is a private ASN. We get into all sorts of
> interesting scenarios based on the connectivity graph (changes in traffic
> pattern come to mind as I know folks compare AS_PATH length taking into
> account remove-private-as).
> 
> The 'operational considerations' section does talk about this - but I
> would like it described in more detail.
> 
> - Pradosh
> 
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr

v2.31.3 | Report a Bug | By Email | System Status